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ABSTRACT 


This thesis presents a wide spectrum of computer data 
security, including both practical and theoretical aspects 
of the subject. It was motivated by the concern for the 
general lack of edierksttc knowledge, techniques, implemen- 
tation, and application of computer data security. The 
objective was to (1) review the pertinent features of data 
security and the relationship of these features to the 
computer and its users; (2) generate an awareness of the 
techniques and problems in data security by presenting the 
main issues; and (3) discuss theoretical as well as specific 
applications of techniques and methodology for data base 
security and data access control. The intention was to 
present to everyone concerned - from the manager to the 
ECnpuLey expere, - the necessity for computer security and 


some of the forms which it may take. 
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I. INTRODUCTION 


One of the most difficult problems confronting the com- 
puter industry today is that of data security. The problem 
1S one which involves the ae eter tater operator, and user, 
and encompasses physical facilities, operational procedures, 
computer hardware, software, and programming techniques. 
The computer is rapidly emerging from its childhood status 
to take its place as an indispensible part of our modern 
society. The more dependent we become on the computer's 
abilities and the more significant its work becomes, the 
more important it is to protect the computer from those who 
wovld misuse its power. The problem of computer data se- 


curity is expressed by Peter S. Brown [Ref. 1]: 


"The computer has unleashed countless 
opportunities for industrial growth, ac- 
tivity, new applications, labor-saving 
accomplishments, improving the quality of 
decisions and many others. t the same 
time, computer technology has spawned a2 
whole new field of crime and generated a 
series of problems for both designers and 
users of information systems." 


On soOclal~mpolitical and technical lives are rooted in 
an information-based society with an expanding need for col- 
cilia sstOring Intormatcion. Most recently, even our 
private lives have been touched by this ability to collect 
and propensity for accumulating large data bases. It is 
generally agreed that the effective use of information pio 


wi@es tHe» capability for an organization to improve its 





efficiency of operation. However, the advent of computers 
did not initiate the desire for information gathering nor 
did it create the data security problem. Organizations have 
always collected information and then had the problem of its 
security. Computers have enlarged the scope of information 
gathering, allowing greater and greater quantities of infor- 
mation to be collected, recorded and retrieved at high 
speed. The problem lies in the fact that computer based 
centralized information systems contain large amounts of 
easily accessible data, making intrusion and compromise prof- 
itable. Any effective data security system must have as its 
ultimate goal the methodology for ensuring that the value of 
the information is not worth the effort required to obtain 
tt. 

The objective of this thesis was to (1) review the per- 
merce Leavures Of data security and the relationship of 
these features to the computer and its users; (2) present 
the main issues in data security so that an appreciation and 
awareness of the techniques and problems involved can be 
easily grasped; and (3) discuss theoretical as well as spe- 
cific applications of techniques and methodology for data 
base security and data access control. 

Good [Ref. 26] has said, "Information is a unique asset 
Timeitgtle Can be Stollen bUL may never be missed (in contrast 
eo 2 physical asset)."' For this reason, DROtee Ge Oi rot maT 
formation is an insidious business and will require much of 


Sr iil 1sence sand Cechnolopy Co successfully eccomplish. 
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II. NATURE OF THE PROBLEM 


A prerequisite to solving a problem is a clear under- 
standing of the problem itself; computer data security is 
no exception. The intent of this section is to present the 
computer data security problem with respect to its origin, 
development, and present environment. Analysis is presented 
relative to the abuse and privacy infringement of computer 


data, and the threats against data security. 


Peet otORIGAL ASSESSMENT 

Historically man's quest for obtaining information and 
data has been the basis for innumerable tales of intrigue, 
deception, and ingenuity. History can be segmented into 
eras delimited by what has been called "data-handling 
hevovutnons by Kahn and Prywes [Ref. 2 and 3]. The first 
data handling revolution began around 1650 with the insti- 
MiGvoneor snegularesintercity postal services. Shortly there- 
after, government groups often called "black chamber 
Bmoperations were organized to illegally collect the infor- 
Hiei lney would antercept the marl, extract useztul in- 
formation, re-seal the letters, and send them on without 
Elcmsch@er sSmor receiver's knowlLedpe. The next data han- 
dling revolution bepan with the introduction of the telegraph 
about 1850. Again governnent organized groups, as well as 
Commercially sponsored téeans, were used for the illegal in- 


Pome=DtmoOlemaccoal ip and Grstribution of telegraphic 
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messages. The third data handling revolution commenced 
around 1895 with the introduction of the radio. Presently 
we find ourselves a few years into a majcr technological 
revolution in data handling involving computers. Histori- 
Canty then,sltewts Mot SUrprising to find individuals and 
organizations involved in the work of illegally obtaining’ 
manipulating, destroying, or in ‘some way ‘compromising com- 
puter based data. A projection of historical developments 
indicates that we should expect a growing trend of well 
financed and organized activities to attempt to gain access 


to secure data. 


Dae ocOrn OF DATA SECURITY 

ie. sc Ope wou data Security Cam De as wide and complex 
as the data the system is designed to protect. It can range 
from a simple lock on the door of the computer room to the 
use of sophisticated hardware, software, and crypto-graphic 
techniques. Techniques for security also inciude programmed 
routines, manual procedures, and physical means using secu- 
ry epersonne!, locks, Keys, badges, voice prints, and hand 
prints. The International Business Machine Corporation 


[Ref. 4] defines data security as follows: 


"Data security can be defined as the 
DimeGcecelolmo: GCaAtaviromeace dental or in= 
tentional disclosure to unauthorized per- 
sons and from unauthorized modification." 


This definition was taken from a widely distributed IBM 


monograph on data security which was instrumental in focusing 


IZ 





attention on the problem. Another definition comes from 


Clark Weissman [Ref. 5] who states that: 


"Security of computer based data 
systems is the prevention of (1) un- 
authorized gain of’ information or sys- 
tem access, (2) denial of authorized 
access, and (3) data or service falsi- 
fication. 

The techniques of data security must be applied across 
the total automatic data processing (ADP) system in order 
to be effective. this total system can be classified into 
Six specific elements: (1) physical environment, (2) peo- 
ple, (3) communications, (4) policies and procedures, (5) 
hardware, and (6) software. in its broadest sense, data 
security is involved with the storage of removable storage 
media, such as magnetic tape reels, magnetic disk packs, 
input cards, and output listings. Additionally, programmer 
and electronic data processing controls, auditing personnel 
Seleetion, and employee security ere related to data seécu- 
i) eee et another category o1 data Scicirity is the physical 
protection measures such as guard services, alarms and locks, 
Clased  GinGcure: television, and bugging devices. Also re- 
lated to data security are techniques in data processing as 
in data checking, maintaining backup files, alternate pro- 
cessing facilities in case of equipment malfunction, and 
DLaeraMietestame and Software verification. Lastly, part of 
computer data security is the legal controls and insurance 
safeguards for software protection, trade secrets and copy- 


Pishted material. 
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CyeeOOMPUTER DEVELOPMENT 

Data security is a function of the level of data that is 
BOompes protected. [fis security is also dependent upon and 
dictated by the environment in which the computer is oper- 
ated, and the data transmitted. One of the reasons that 
data security has become such a problem to the computer in- 
dustry is the numerous ways a computer and its-data are 
employed. 

Poet i= Level lata 

In an environment of multi-level data, the computer 

system contains data with various levels of classification, 
Sveimas: | UNCLASSIFIED, CONFIDENTIAL, SECRET, and TOP SECRET. 
A scheme of hardware and/or software must be employed to 
handle these different levels of data. The system must 
maintain the mutual disjunction between the different levels 
and still allow reasonable access by authorized users. A 
non-homogeneous data bank significantly increases the num- 
ber and complexity of controls required to ensure data 
security. 

2. Multi-Programming 

The technique of multi-programming produces an 

environment which permits more than one job to occupy the 
MONiccitatakie Same tIMme. §oSimee the possibility Exists 
that each job may be at a different level Om elas Sitveation:, 
the security system must provide for compartmentalization 
Hith no possibility cf intersection during simultancous 


main memory occupancy. There are a number of computer data 
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security systems which provide some measure of partitioned 
- main memory. The MULTICS system is one of these and will be 
discussed later. 
Sue ir rocessaing 

Multi-processing 1s a system that includes more 
than eric central processing unit (CPU). Ina multi- 
processing’ system, each CPU ‘operates independently of one 
another primarily to increase system throughput or relia- 
bility. The CPU's share information by using the same main 
storage and by using the same input/output devices. Where 
main storage is shared, usually the same routines are used 
and the same queue of jobs serviced. According to Katzan 
(Ref. 6], multi-processing represents a serious potential 
data security problem, since a program executing in one CPU 
can utilize the same locks and keys used in one of the other 
CPU's. Specifically, the threat to data security is due to 
the common utilization of security controls and memory be- 
tween GCPU'S> and tne stnmiliareans occupancy of memory by 
pregrams using different levels of data. This condition 
reflects a degradation in the mutual disjointness of infor- 
mation segments required for a secure data system. Conse- 
quently, a more complex system of hardware and software is 
mequlred tO Maintain data security in an environment of 
iLti-processine. 

4. sena@ltisbeéevel User 
AE UGOCmcanputenr installations, Cach user 1S given 


some WGyvel of Security clearance. These classes can be as 
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many and as varied as desired, however, most organizations 
follow closely the military's system of UNCLASSIFIED, CON- 
FIDENTIAL, SECRET, and TOP SECRET. The military goes a step 
further and bases individual access on a two parameter func- 
tion, the first being the level of clearance, and secondly 
a "need to know" associated with the specific data. The re- 
sult is .a unique set of users for each Specific piece of 
data. In computer data security, a further restriction to 
the data access authority of the user is the type of access 
allowed, such as read only, write, append, grant further 
access, execute, delete, etc. A discussion of the theoret- 
ical and actual implementation of data Pecunity for a multi- 
level user via an access control matrix format will ne 
discussed in sections III and IV. 
5S. Remote Terminal Access 

A large share of the problems in data security in- 
Polves time sdna Eesource Sharing remote terminal systems. 
Dimece Many Wsers haye access to the system, identification 
and authorization security systems are needed. A system 
march allows users to share the direct-access storage fa- 
cilities dynamically must provide a data security system 
that prevents one user from accessing another user's data. 
Since data must be sent between terminal and computer, some 
form of secure communication must be an integral part of any 
Peatad security System. User identification and authorization, 
data storage, data integrity, and secure data transmission 


willenpe diseussed in detail later. 
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Dee DATASSECURITY THREATS 

The underlying principle of data security is to prevent 
data from being compromised. The reason for the wide range 
of security techniques employed today is that data compro- 
mise can occur in various forms and under numerous condi- 
tions. Petersen and Turn [Ref. 7] classify the threats to 
data security as being accidental or:-deliberate. 

1. Accidental Threats 

The major portion of any computer data threat dis- 

eussion usually involves deliberate infiltration; however, 
the consequences from accidental disclosure of sensitive 
information could be just as costly and serious as an in- 
cident in which deliberate means were used to gain data 
access. Accidental disclosures of data could be as a result 
of hardware failures, software errors from poorly designed 
or only partially debugged programs, or operational errors 
such as mounting the wrong magnetic tape or magnetic disk 
pack. Accidental threats are insidious in nature but can 
be considered logically as a proper subject of deliberate 
threats. Therefore, the remainder of this section will be 
devoted to the deliberate threats to computer data. 

Z; Deliberate Threats 

Deli bPeratcminiilieratdoOnminplies a plan Or purpose 

with preconceived objectives in ae. Carrol and McLelland 
[Ref. 8] list their objectives of deliberate infiltration 
Poe cto naeccess LO information in files; (2) dis- 


aovemmowrNcmlndOlMation interests Of users; (3) altering 
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Gwedectroying ti8es; and (4) obtaining free use of system 
Hesourecs, Petersen and Turn {[Ref. 7] further classify 
deliberate efforts to gain information as passive or active. 

Some deliberate passive threats are caused by elec- 
tro-magnetic radiation from computer hardware and communica- 
tions equipment by observation of data traffic at some point 
in the system. Passive methods include electromagnetic 
pickup, wiretapping, and information obtained from concealed 
transmitters. One of the least guarded against and most 
productive deliberate passive techniques is to examine 
periodically the contents of the waste containers in and 
apoOuUnas the —COMpuULer OF remote terminal area. Jt is not un- 
common for copies of partially working programs and lists 
of input and output data to find their way into the most 
Solwenlent waste receptacle. 

Most of the data security techniques and counter- 
Meares ware directed against déliberate active threats 
asserts Katzan [Ref. 6]. These threats are similar for 
all computer data systems and differ primarily in the degree 
to which a specific system design feature allow exploita- 
MiG°@mmbelinernare active threats includes the following: 

dee SOWSIMe Involves Ene suse Gf Legitimate access 
EOuELee system to Obtain unauthorized information. 

De) Masquerading 

Ciicet omer aceleewot ObEdining proper iden- 
tification through improper means, such as wiretapping, and 


then accessing the system asa legitimatc user. 
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c.° Detection and Use of Trap Doors 
The trap doors are hardware features, software 
limitations, or specially pianted entry points that provide 
an unauthorized source with access to the system. 
d. Entry via an Active Communications Channel 
Penetrating communications channels involves 
intercepting messages between a-user and the..computer 
("piggy back"), entry via the communication lines of an 
inactive user ("between-lines entry"), and canceling a 
user's signoff signal and then continuing to operate under 
his password and authorization. 
e. Physical Means of Entry 
This method includes access to the system 
through a position with the computer center, a communications 
company, or a vendor, the generation and analysis of "core 


dumps and the theft of removable storage media. 


Pee COMPUTER ABUSE 

Parker, Nycum, and Oura of the Stanford Research Insti- 
tute [Ref. 9] have compiled and conducted an extensive 
Study on computer related crime. They define computer abuse 
as any act associated with computers where victims have suf- 
fered or could have suffered a loss and perpetrators made 
or could have made a gain. There are numerous cases in the 
courts today concerned with breaches of computer integrity. 
An expert from Anderson and Company, the CPA firm, estimated 
reeenitly annual losses from computer thefts in the neighbor- 


moodvoted ballion doldars, (Ret. 3]. 
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PRaud, thett, larceny , prpeee lenient: vandalism, extor- 
tion, the crimes are the same, only their environment is 
changing. The computer and its automatic data processing 
functions are becoming the setting for today's large scale 
frauds. Perpetrators of these frauds and thefts need the 
skills, knowledge, and access associated with computers and 
data communications technology. 

Many of the computer frauds read like science fiction 
and are presented here only as an indicator of what is hap- 
pening today and the potential of what may occur in the 
future. An analysis of computer related crimes is given by 
Parker and Nycum [Ref. 10]. The first programmer convicted 
for stealing programs was in 1964 for which he received a 
five year prison term. The first federal criminal case oc- 
curred in 1966 when a 21 year old programmer put a patch in 
his program to ignore his own checking account in checking 
for overdrafts. The first documented case of stealing a 
program from the memory of a computer over telephone cir- 
cuits and a remote terminal occurred in 1971. Some recent 
cases of computer fraud include the $1.5 million New York 
Union Dime Bank embezzlement, the $2 billion Equity Funding 
Insurance fraud, the $1 million Los Angeles Telephone Com- 
pany equipment theft and the $300,000 Long Island and Pitts- 
burg Westinghouse .cmbezzlement. | 

The emergence of the "Robin Hood syndrome" (taking from 
from the machines which control society) and the "skyjack 


syndrome"! (where crime becomes popular) with respect to 
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computers has generated an apathetic public attitude toward 
computer data security. Parker believes that in order to 
control and prevent computer related crime, ethical standards 
and applicabie laws must be established, and that technolog- 


ical solutions are necessary, but not sufficient. 


F. PRIVACY 

The concept of "womb to tomb history" for each individual 
made possible by the computer's vast storage capacity and 
rapid retrieval capability is frightening to many people. 
The Federal Government has at least twenty-seven agencies and 
bureaus gathering information, much of which is quite private 
and personal [Ref. 11]. Some of these agencies and bureaus 
are the Census Bureau, the Customs Bureau, the Naturalization 
eervice, the Department of State, Federal Bureau of Investi- 
gation (FBI), Central Intelligence Agency (CIA), and Depart- 
ment of Commerce. Employers gather personal information on 
prospective employees, as well as banks, credit card com- 
panies, doctors, lawyers, and educational institutions. The 
idea of a centralized, cross-referenced, easily and quickly 
available master file on each individual is technically pos- 
sible. A total “identifaér" on 2 master file, indexed 
through a single identifying number (S.I.N.) is both a temp- 
Eictonwandeas thueat. ihe advantage of S.J.N. in time saved, 
Bost Heductions, and overall accuracy to organizations such 
as the police, banks, life insurance companies, Internal 


Revenue Service, employers, doctors, and educators is obvious 
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and real. In terms of individual and institutional liberties, 
See pDOeSes a potential Of serious consequences including 
direct infringement on basic inion ease Large centralized 
computer data banks using a single identification number as 
the total identifier for an individual do not yet exist; 
however, the idea is technically feasible and economically 
sound. ‘The development of centralized record keeping seems 
almost inevitable. 

wiidcieot EMcwpOrcChtilal fOr protececion and Security of 
data banks is contained in the basic structure of the com- 
putereltseli. [ts speed, accuracy, and storage capacity 
make the computer its own best protector. Until recently, 
computer access data security had been geared toward the 
protection of industrial and political information. Com- 
puter data banks containing sensitive information on an 
individual basis must protect the human right to privacy. 
The "right to know" or "freedom of information" must be 
measured against an individual's "right to privacy." The 
United States Constitution in its Bill of Rights guards 
against specific invasion of privacy in the matters of 
religion, speech, unreasonable search and seizure, and self- 
Incrimination; no mention 1s made as to what extent individ- 
ual privacy may be abridged for the good of the public. The 
new technology is computerized data banks has opened up new 
areas of challenge to the basic problem of privacy. 

Hurley [{Ref. 11] reports that the Department of Health, 


Fducation, and Welfare (HEW) has summed up a proposal for 
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safeguarding personal information by including in its draft 
MepChETOMN Ene SubyecE that, “The application of automated 
data processing technology to the records containing person- 
pel data can be Subjected to appropriate and effective social 
constraint without diminishing its usefulness." In the final 
analysis, the legislative, judicial, and executive branches 
of government, in conjunction with “private enterprise, mus t 
Merwerocetner im formulating the attitudes, climate, and 
background necessary to solving the problem of computer in- 
waiston Of Privacy. self-regulation and self-restraint can- 
not in itself provide for the guarantee of individual privacy 
throughout the ADP environment. A legal framework relating 
directly to computers and data banks seems to be the inevi- 
table answer. A summary of the main elements of present and 
proposed data privacy laws is contained in Martin [Ref. 12, 
pages 437 to 446]. The laws and safeguards of a computerized 
society may require that other computer provide the checks 
and balances necessary to ensure the environment of informa- 


tional privacy we require and desire. 
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III. DESIGN OF THE COMPUTER DATA SECURITY SYSTEM 


nee puUrDOSeTOnethas SCCLION is to review some concepts 
of data security and discuss principles, methods, and tech- 
niques of data security that are independent of any particu- 
lar system. An actual study of a proposed system is discussed 


in section V entitled, "A Data Security Model." 


wy. THEORY OF DATA PROTECTION 

A theory of protection is discussed by B. W. Lampson 
{Ref. 13] and establishes a method for controlling access 
to the objects of a process in an operating system environ- 
ment. A second paper by Graham and Denning [Ref. 14], is 
based on Lampson's work and vresents a formal model of the 
Semecnts and pranciplles of protection theory. Both of these 
papers are concerned with operating system structure and 
hardware architecture, while the security verification sys- 
tem (SVS) proposed in section V suggests security isolated 
PAOMmeene ComputLer's Operating system. 

Lampson describes the computer's capabilities and re- 
Sources as a set of "objects" protected by the system's 
hardware and software. An operational environment is created 
for each user which appears as a virtual machine. The ob- 
Mective 15 a protected executing program which is conditioned 
such that it: (1) does not destroy the operating system 


files or memory space; (2) will not invade other program's 
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domain; (3) can be shared among other system users; and (4) 
may invole another program and share its data files. 

Graham and Denning [Ref. 14], approach data security 
from seven different levels of protection of the operating 
System. These levels range from complete isolation of pro- 
grams or data files to providing "certified" subsystems 
whose correctness has been ‘completely validated ‘and guaran- 
teed. The objective of Graham and Denning's work is to 
present a structure of protection mechanisms that are ef- 
Pecrively independent of the computer system and of internal 
program structure. The design of their system involves the 
EPcecliledtion Of ObjJEctS, Subjects, and protection rules so 
that every attempt by a subject to access an object must be 
validated by the protection system. As displayed in Figure 
1, we define matrix A, with subjects as rows and objects as 
columns. Matrix A contains attributes that describe the 
access privilege of subject Ss Go) Glen eres ae such that Ss 


would have Bes aceess te O.,> VA is some attribute (read 


J 1) 
See ewwrlte. Cte.) and P = program, F = file, D = device, 


ance SO On. 


OBJECTS 


ee 
1) 





S = = - eee = 
Figure ievkeacessmoomero! Matrix . 
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The particular operational environment determines the 
manner in which the above concepts of protection theory are 
implemented and the degree of protection provided. Normally 
the hardware/software protection system is transparent to 
the user ane is governed by the rules of the actual imple- 
mentation. It should be noted that though the protection 
-systems briefly presented -here are theoretical in.nature, 
they form the basis for many of the methods of data access 


security presently being designed or in use. 


B. PROTECTION MECHANISMS IN MULTICS 

Whenever computer data security is discussed, particu- 
larly in the area of secure data eharine. the MULTICS system 
1s usuaily mentioned; MULTICS is an acronym for Muitiplexed 
Information and Computings Service. MULTICS 1s a prototype 
computer utility developed as a result of an ADVANCED RE- 
SEARCH PROTECTS AGENCY sponsored research program. The goal 
of the MULTICS project [Ref. 15] has been to produce a gen- 
eral purpose programming system that provides a large and 
diverse user community with: (1) remote terminal access as 
the normal mode of system usage; (2) continuous service; and 
(3) large amounts of on-line data storage with controlled 
secure sharing of information among users. 

Unlike nearly all commercially available systems, the 
controlled information sharing of MULTICS was an initial 
design goal and the mechanisms to achieve this goal were 


DUGIt-in from OM very beginning. The protection mechanism 
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is essentially a hardware adinceeiae mechanism and a hard- 
ware implemented mechanism for dividing a computation into 
multiple regions of different accessibility. Specifically, 
the MULTICS hardward implements an access control ring struc- 
ture (see process level, page 26), in the following two ways. 
Pivot eleemanaware controls the access checking logic, and 
via the segment addressing hardware, validates each virtual 
memory reference. Secondly, the hardware contains instruc- 
Pons ton changing the rings of execution. The results of 
this hardware based system have been a method which protects 
files from unauthorized use while providing secure data 
Sharing. 

Systems which have attempted to provide data security 
as an after thought (after hardware design) via software 
implementation have had only limited success in comparison 
to the hardware oriented system of MULTICS. This implies 
that a successful data security system should be an initial 
design goal of the hardware, which is substantiated by 
Weissman in [Ref. 16]. Corbato [Ref. 17] provides an over- 
view of the MULTICS system, including its protection fea- 
tures and presents a bibliography of available documents on 
ene system, A detailed description of the protection hard- 
ware in the new MULTICS processor is given by Schroeder and 


paltzer in [Ref. 18]. 


C. DATA ACCESS CONTROL MECHANISMS 
The purpose of data access control mechanisms in a 


computer system is to protect private data from compromise 
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while providing the mechanism to allow regulated access to 
shareable information. David Hsiao [Ref. 19] views data 
access control mechanisms from three levels; (1) memory 
level, (2) process level, and (3) the logical level. 
1. Memcry Level 

The memory level access control mechanisms control 
access ‘to memory in~terms-of units of memory. The -protec- 
tion of the system is with respect to the segments of memory, 
not the segments contents. The contents of each segment of 
memory are subject to the same access controls that govern 
each memory unit and are protected only as long as they re- 
main within the same memory unit. A typical physical memory 
protection scheme employs memory bound registers or storage 
protection keys which Baer access to bounded memory areas. 
i ZreeenOCe So euEvel 

A process is simply a set of programs with its as- 
sociated data. Therefore, process protection and control 
1s concerned with access to and protection of programs. An 
elaborate process access control mechanism known as the 
"ring mechanism" was proposed by Graham [Ref. 20] and is 
depicted in Figure 2. This concentric ring mechanism allows 
one program to give control to another without violating any 
of the access control rights of either program. Conceptually 
mie scONGentrlG wing mechanism requires the user to arrange 
mtr Droccsses hierarcniically, where processes at the lower 
Parceetethe hiersrchi (outer ring) have less privileged ac- 


cess rights. 
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Eoomeprocess mas a tixed number of domains (protec- 
tion rings). The rings are distinguished by integers 0 
enrouwen nel (for MULTICS, n = 7). The ith ring contains the 
access capabilities of rings i +1, 1+ 2, ..., n-1, and 
forms a proper subset of rings 1-1, 1- 2, ..., 0. The 
sets of access capabilities represented by the various rings 
form a collection of nested subsets with ring 0 the largest 
and ring n-1 the smaliest set in the collection. The result 
Precis Nierarchical System OL rings 1s that protection 
provided by a given ring of a process is effective against 
procedures executing in higher numbered rings. Having mul- 
tiple domains of protection generates the need to change the 
domain of execution of a process. Changing the domain of | 
execution may also change the capabilities available to a 
process and, therefore, must be controlled. The control 
over the domain change is keyed to certain program loca- 
tions called gates, shown in Figure 2. Changing the domain 
of execution must occur only as a result of a transfer of 
Gomtnrol to one of the gate locations of another domain. If 
the EGanstersiS NOt aarected to one Of the gate locations, 
MiewELanster 15 Not allowed. the use of separate access 
control gate location lists for each data file and separate 
tescrimitol Liles Or each process will provide the means to 
SOntrol Separately the wse of each data file by each user's 


DREOCESS . 
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Pooure Za Ring Protection Structure. 


SeeuOvtecat bevel 


The third, and highest level of access control is 
the logical level. A user will generally structure his data 
i terms Of logical units such as field, records, and files. 
Unlike memory legedls of access, here the logical units of 
irOornlatrvon nave little resemblance to their physical or 
Virtual storage images. By allowing the user to associate 
access control requirements and protection measures with 
ieeredl Unies, the access control mechanism can facilitate 
UbGect GCOntrol and protection of the information regardless 
Seeltes Physical location. 

[LEeWemlCt Ene type Of access a User has to the data 
base be represented as an authority item, then the entire 
SOMUCECION OL authority items can be viewed as an access 
PoncnOrematrixeeAtlowing the rows of the m@trix to represent 


users and the columns the logical units of data, as shown in 
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Figunes os, emen tne entry As; contains a series of access 
privileges and restrictions held by users 1 to logical unit 
To NOTE: fe = File, = Record, ft = Field, AS Besa 
only, Write, Delete, Own, etc. 


If AS is blank, access to the logical unit is 





denied. 
| Poe. ePL | Ty iz Ty i f.. f, 
72 
“IB | || 
| az | 5 
— ||] | 
7 
: i 
‘ ae = 
m 3 | 


Pagunre so melrivileve, Control Matrix: 


For actual implementation, the matrix 1s too sparse and, 
therefore, would be uch to expensive in terms of space to 

be stored as depicted in Figure 3. Since access privileges 
and restrictions to the same data units differ from one 

user to another, and since there are usually more data types 
than number of users, the implementation should be user 
Oriented. Specifically, there should be one set of authority 
hems per User. ihe Matrix in Figure 3 1S essentialiy the 
Samé as that of Figure 2 on page 30, except that Figure 3 


is user (93 Oriented and Figure 2 15 process (S;) oriented. 
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tnecdqieilon. the set {F,, Tas £3 of Figure 3 is a subset of 


the set {0,} of Figure 2. 


D. AUDIT AND SURVEILLANCE TECHNIQUES 

Auditing and surveillance techniques can provide imme- 
diate warnings of illegal system penetration or a posteriori 
data security protection. Monitoring can be performed so 
that it is known to the infiltrator or transparent to hin, 
with each attempt to violate the system's security or data 
files recorded for subsequent analysis. One approach is to 
Steere ilMmiacione Or a Ser atter several attempts to access 
an unauthorized segment of data, but report the attempted 
infiltration to the computer operator or security officer 
EGEwAapPLOPTiate action. 

Surveillance and monitoring can be performed at various 
levels depending on the classification of data being pro- 
tected and security requirements of the system. Some system 
Violations can always be expected due to user accidents. If 
Proc pecLcammumper OF ViOlations imecreases rapidly, it is 
reasonable to assume that deliberate penetration attempts 
are being conducted. Conversely, if the expected number of 
WIOlsumOns decrease Markedly, there might be reason to believe 
Brat some means of illegally accessing the system has been 
discovered. Data security is a dynamic function which depends 
GSiecne hand Of data stored and the usage patterns of the users 
ENaG access 1t. The maintenance and use OF S@curity Logs 1s 
mC AsO Kiteeetine the need for a change in the data s@cu- 


muty réquirements or methods. 
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E. CRYPTOGRAPHIC APPLICATION 

The best computer security system devisable can be ren- 
dered totally useless by simple wiretapping techniques dur- 
ing classified data transmission. The best-known and most 
widely used techniques to provide security for data trans- 
mission and to protect sensitive data files are called 
privacy transformations. The use of cryptographic systems 
Gan ettfectively counter the wiretapping threat through en- 
coding (enciphering) data prior to transmission and then 
decoding (deciphering) after data reception. Data files can 
be stored in the enciphered form to provide even greater 
protection against compromise. 

The basic cryptographic process is a set of rules which 
comprise the system which transforms "plain" or "clear" text 
into the "cipher" text and then back to the original text 
again. Katzan [Ref. 6] defines three main classes of general 
Cipher systems: (1) transposition systems, (2) substitution 
systems, and (3) algebraic systems. 

A transposition cipher system is one which the characters 
of the plain text data are rearranged in some prescribed 
manner. The characters maintain their identity while losing 
mctr pOsttional signiticance, “lransposition Ciphers can 
usually be easily implemented on a digital computer with 
heasOnamo le wetticvency, Nowever, they are relatively unso- 
pmisticated and*easily broken. 

Picmsiba tile tol Cipner System involves the replacement 


Meliin weext Gherveters by other characters. Here the 
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Pilaimerext characters lose their identity but usually main- 
tain positional significance. In its simplest forn, a sub- 
Poke evon cipher uses two alphabets, one containing the 
characters of the plain text data, the other comprising 
enemrespective cipher Squeegee fs 

An algebraic cipher is a system which replaces the plain 
text characters ‘with numbers using -some deterministic scheme 
nuUmenen perrorns some reversible series of mathematical 
operations on these numbers. 

Ciphers need not be restrained to single system for 
their generation. Use of a digital computer for encoding 
and decoding data allows numerous cipher systems to be com- 
bined in a complex cryptographic system which is both fast 
and virtually error free. Van Tassel [Ref. 21], lists four 
eritenia that could be applied to the design of a crypto- 
graphic system: (1) it should not be necessary to keep the 
method secret-only the keys; (2) the amount of secrecy ob- 
tained should be directly related to the amount of computing 
Pile wmecessaby tonuse the system, (3) the system should des- 
troy the statistical parameters of the natural Sieur of 
the language; and (4) an error should not destroy successive 
information. 

The Vernam cipher system, invented in 1917 by Gilbert 
>. Vernan, 15 particularly applicable to a computer based 
datansystemom 1ias Cipher uses a pscudo-random number gener- 
ation scheme for its key. The Vernam cipher uses the "ex- 


Pelsivemor ~ODebator SO that at the plain text Nereé 
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10011 and the key were 01001, then the encipherment would 
pee O1o: 

This system is particularly convenient since all digital 
computers use the binary digits 0 and 1 to represent its 
characters, most digital computers have an "exclusive or" 
operator, and encoding and decoding are reciprocal operators. 
Originally, Vernam used a tape of random binary digits, how- 
ever, it was soon shown that periodic keys were subject to 
decryption. The infinite key method presented by Carroll 
and McLelland [Ref. 8], is a technique for use with the 
Vernam cipher. This method uses random numbers generated 
by a pseudo-random number generator, usually available on 
mOsu pencral purpose computers, with the seed being an N- 
digit password. The method "exclusively or's'" random keys 
with the characters of a plain text data, exactly as in the 
Vernam cipher. By manipulation of the seed after N-random 
keys are generated (where N is the maximum period of the 
generator), any number of characters can be enciphered. 

Now all that remains is the synchronization of the activities 
on each end of the data line. This is usually done by es- 
tablishing a set of variables (seeds) for the generator and 
transporting the information between sites by carrier or 
nos renpedeialtasslacen, alia message need provide 1s an 
indexing number into the particular set of variables to be 
used in the generation process. Thus, effective synchroni- 
PAP nOume ai tahkhemulace tor Cach dita set that 1s to be én- 


ciphered or déciphered. 
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The foregoing section on cryptology has been presented 
as a quick overview of a vast subject with only one specific 
application to a computer environment. Employment of 
cryptographic techniques is an absolute necessity where the 
security of transmission lines cannot be guaranteed and the 
classification of data warrants the additional time and 
most. For additional rererences on cryptology relative to 
the computer environment, the reader is directed to Appendix 


A. 
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IV. PHYSICAL AND ADMINISTRATIVE DATA SECURITY 


The theoretical and technical controls discussed in 
section III can be effectively negated without the proper 
physical and administrative controls. Wasserman [Ref. 22] 
suggests that physical security is needed on all aspects of 
the data processing operation. The physical protection 
required in computer systems is similar to that required 
for conventional office spaces. Computer installations raise 
a few special problems, such as the control of electromag- 
netic devices, wiretapping, electrical supplies, and air 
conditioning. Administrative security has the responsibility 
hopetnie SeCUrILy techniques and procedures in the day-to-day 
computer operation. It is generally agreed that the weakest 
link in any computer data security system is the people who 
operate the system. The responsibility for personnel secu- 
micy clearances, and of employee attitude and conduct with 
respect to data security, is a function of administrative 


SeCuULIey . 


Moen olCAL obCURITY CONTROLS 

Miimlnci al? | separates physical Security into three 
layers of defense. First the perimeter barrier such as a 
wall or fence. Second, the walls, windows, doors, and ducts 
Pot eimai idineeitscel+, Third, locked cabinets and vaults. 
A perimeter defense, if not guarded by some means, will act 


only as a psychological deterrent to some intruders, but have 
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little effect on the determined intruder. cor ineter de- 
fense that is guarded will offer the protection mentioned 
above as well as an early warning of the presence of the 
determined intruder. Well-secured doors and windows are 
essential to good building security, thus they should have 
associated alarm devices. The would-be intruder will likely 
enter by some non-alarm controlled RASSane. Sel as manholes, 
Storm drains, utility tunnels, the roof,.or through a common 
wall. The combination of electronic detectors and a random- 
ly roving guard force can greatly enhance building security. 
The inner layer (locked cabinets and vaults) of defense be- 
comes important simply because it is the last line of defense 
between the determined intruder and the data. The security 
of safes, cabinets, and store rooms is often neglected on 

the naive assumption that the other two layers will keep out 
intruders. 

A large portion of an organization's data security plan 
is based on backup tapes for recovery and re-initialization. 
These tapes may prove useless if stored in an unsecure 
method. Whether the storage area is a safe, vault, or 
designated room, it must be resistant to burglars, fire, 
Voitet miei temniumMidLty. and explosion. Reliability is the 
Prilfiewtactonmin a security system. The reliance on faulty 
Scie scUlMnniomtnDiards an a palse Sense of Security which 
can be disasterous. Validation of the reliance of security 
equipment must be accomplished through ongoing Hoots which 
measure equipment function against minimum standards criteria. 
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B. ADMINISTRATIVE SECURITY CONTROLS 

Responsibility for the strategy and methodology of 
physical security belongs at the highest level of management 
in an ADP system. A computer: system's security officer 
Should have the responsibility of the following: (1) over- 
all security coordination; (2) procedural controls; (3) cont 
trols on programs and programmers' physical security; (4) 
external administrative controls; and (5) security system 
audits. In addition to his responsibilities for physical 
Sceulmliy setae Seqtuslise officer may be the only person who 
can access the system's authorization Pabdlese ten cane 
access authorities for programs and data, issue passwords, 
and ensure correct operation of the data security system. 
Finally, the security officer should have the responsibility 
for investigation of security violations, review of security 
audit records, security training, and assessment of the ef- 


fectiveness of the security techniques employed. 


39 





V. <A DATA SECURITY MODEL 


The following data security model is presented not as a 
working mechanism, but as a first step toward a secure com- 
puter data system. A system utilizing multi-level data, 
multi-programming, multi-processing, multi-level users and 


remote terminal access is assumed. 


Peeelie PHYSICAL MODEL 

The literature is full of ideas, schemes, and mathe- 
matical models developed for the purpose of user identifica- 
tion, data access control, file privacy protection and new 
file classification. All these proposed protection plans 
seem to pre-suppose that the protection system will be an 
integral part aft the main computer's operating system. 
Making any software protection system part of the operating 
System creates immediate deficiencies and problems, such 
as: (1) increase of operating system overhead; (2) allowing 
mear access to the main system prior to any user identifica- 
Mima ol) lO, Separation (logic, anes leak or electrical) be- 
tween the protection system and the data it was designed to 
protect; and (4) make the security system difficult, if not 
impossible to prove formally correct. 

Tf the computer's operating system has the total respon- 
Slbddty sLOnessy Stem security, then 1tS requirement for CPU 
time and memory will increase, allowing less time for prob- 


lem directed computation. An operating system with excessive 
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overhead will have low efficiency as exhibited by its poor 
thruput. Secondly, an unidentified user should not be al- 
lowed entrance to the operating system for the purpose of 
determining identification and data Aces Ss  COmenO le Feve i. 

All determination of authorization and access authority 
Should be made independent of and prior to actual system 
‘connection. Once an illegal-user has gained entrance to 

the operating system, it is much easier for him to circun- 
Meolmeine Se€CUrlty controls. Thirdly, as a principle of good 
security, there should be a buffer between that which you 

are trying to protect and the protection system. Lastly, 

the complexity of logic and the large number of instructions 
in an operating system make it highly susceptible to unde- 
tected penetration, trap doors, modification, and system 
errors; in addition, it will be virtually impossible to prove 
its correctness. Allowing the data security system to reside 
as an integral part of the computer's operating system will 
result in an overhead and cost per job increase, efficiency 
decrease, and a degradation in the level of overall data 
security. 

These considerations suggest the need for a separate, 
virtually independent system for user identification and 
daGgawacecess Comerol. ie Ag proposed that all or as much of 
the security responsibility as possible be delegated to a 
separate, independent mini or micro computer system which 
Will iemce™be@reszerréed to as a ‘Security Verification Sys- 


tem’ (SVS). the SVS has marked advantages, not the least 
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of which is low cost. The standard mini or micro-computer 
system even with additional storage media, is in the few 
thousand dollar range vice hundreds of thousand dollars 
range of a large general purpose computer. A SVS inter- 
faced with a large general purpose machine, as depicted in 
Figure 4, would not increase operating system overhead, but 
may actually -reduce it. -This is true.because many of the 
file access decisions could be made independent of and 
pelgnreto actual access Of a Specific file by the operating 
system. Using a SVS would keep a user separated from the 
main data banks until his identification, authority, cate- 
gory, and need to know relative to the specific files and 
library programs was determined and authenticated. The SVS 
would make all the determinations as to user identification 
and data access control. The computer's operating system 
would merely respond to a "go", "no go'' decision and service 
the authenticated user within the limits and areas prescribed 
by the SVS. Utilizing a SVS as described above would allow 
physical, electronic, and logical separation between the 
data, CPU, and main memory, and the data security system 
designed to protect and control access to them. Using a 
small special purpose mini or micro computer security veri- 
fication system would make the system correctness more 
easily proved because of its narrowness of purpose and 


Polawyve —Simolr city. 
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B. THE PROCEDURAL MODEL 

User identification using the SVS can be made as simple 
or as extensive as the data being protected dictates. The 
following is merely one possible user identification scheme, 
parts of which utilize already existing and implemented 
methods, other parts having been proposed by various authors 
in the literature and the remaining parts are original. 

Ticeinneta) losin procedure would cCansist of Cypinge in 
the user's first name, middle initial, and last name, fol- 
lowed by a user's identification number. This identifica- 
tion number need not be secret and would only be used for 
name/number correlation, administrative bookkeeping and 
auditing, and as a final entry point into the specific 
user's list of passwords and pertinent personal data. If 
the name and user I.D. matched, the SVS would ask the user 
to input his first, second, or third password. These pass- 
words could be a variable length, alphanumeric string. The 
length of the password could be made a function of the level 
of data to be protected. For instance, a six character 
alphanumeric string would have 36° possible combinations. 
Two errors during initial login identification would sound 
an alarm and disallow the terminal from being connected via 
LnCa ov oelCOmuNcC. Malm CONPULCE.smls Che passwords have a uni- 
form random distribution, the maximum probability of guess- 
ing the correct password on the first attempt would be 1/36° 


10 


or 4.593x10. mic wolldeimercise sliehtly to 1/56°-1 for 


the second attempt. In order that the response to the 
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computer's request for a password would not appear on the 
typewritten teletype copy, a prefix such as $PW($PASSWORD) 
could be mechanized to prevent the next six input characters 
from being printed on the teletype paper. 

Hoffman [Ref. 23] recounts Earnest's novel approach to 
the scheme of maintaining password integrity which is based 
on the assumption that an enemy is attempting to discover a 
user's password for his own unauthorized use, by using a 
Wenetapeor Ouner LCype surveillance, the suggested method 
is as follows. The user logs in and identifies himself with 
name and user identification number (I.D.). The computer 
then supplies a pseudo-random number to the user who per- 
forms some simple mental transformation T on the number and 
then sends the results of that transformation back to the 
computer. The computer (in this case the SVS) performs the 
Same transformation using a previously stored algorithm. 

A comparison is made of the two numbers, with equality rep- 
resenting authenticity of the user. The unique feature is 
that while the user has performed T on X (pseudo-random No.) 
tosyteld Y = T(x), any unauthorized listener, even if the 
information iS sent in the clear, sees only the numbers X 


and Y. Even a simple transformation like, 


TOR) = Wicoda 


DIGIT, of X)? + (HOUR OF THE DAY) 
- (DAY + X,) 


is almost impossible to break. A numerical example of the 


above method after 10:00 o'clock in the morning and before 


4S 


Pesveo elhocwe on tie 4th day of the month follows: 
The computer asks: PASSWORD(34871) = 


The transformations: 


T (X) 


(11)? + 1000 -. (4 + 11) = 121 + 1000 + 15 


1136. 

The user responds with the number: 1136. 

One time identification of a user at a remote terminal 
using the form described above may not be sufficient to give 
Bicwacsinmedslevel Gt protection, A periodic dialogue or ran- 
tomerepeatead Interrogatian Of the user via the SVS may be 
necessary as a function of various parameters, such as, job 
classification, user and terminal clearance, file classifi- 
evelon wand seime oi lane. The S¥o Coulda ask periodically 
for another user password of the alphanumeric or number 
transfer form or the SVS could ask various questions of the 
user which would normally only be known by him, such as: 
(1) wife's maiden name; (2) date and place of marriage; (3) 
oldest son's age; (4) mother-in-law's birthday, etc. 

ihiewaquestions could come trom 2 comprehensive question- 
Meier dsOutLwny Che USereate some Carlier time,» This 
Penlogiler, Oneoine dialogue with the USer further ensures 
system security and integrity. As before, two incorrect 
answers to any question energizes an alarm and drops the 
Comune ottetnes line. Another approach to two incorrect 
aicviemsevowldsper tO Continue a dialogue with the suspected 


Titra Onewhitle Security peeple are alerted. This would 
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allow the security force to take positive action without the 


infiltrators knowledge. 


C. THE MATHEMATICAL MODEL 

Prior to the modeling of any system, certain assumptions 
must be made. The assumptions made above still apply. In 
designing security controls, particularly for a military 
computer system, an environment of "malicious threat" must 
be assumed. According to Weissmann [Ref. 24], from which 
much of the following model was taken, a security control 
system should: (1) support heterogeneous levels and types 
of classifications; (2) in itself be unclassified until 
primed with the security parameters; (3) be isolated from 
the total time sharing system; and (4) be relatively inex- 
pensive. The SVS attempts to fulfill the above criteria 
and assumptions, while providing the security, flexibility, 
and growth potential required by most computer installa- 
tions. Security is a total system problem encompassing 
hardware, software, personnel, communications, and asset 
physical security. In the following model, the emphasis is 
on the software required to implement the SVS hardware pack- 
Mes oceausc il MOSt Working systems, this is the area of 
greatest latitude and freedom in exercising data access 
security control. A formal model for a software system of 
jdemecitication and data access control is developed. 

imo clon@ocra Secure y On); eCct 2s detined as any object 
which has or can be assigned a level of classification or 


elGaramec, SUCH as a uUs@r, terminal, file, job, or any other 
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peripheral device desired (i.e., line printer, plotter, com- 
PUeCIMcONLTOllecadseara punen). For notational purposes, let 
u denote some user, t some terminal, j some job, and f some 
file. Various security decisions will be made as a function 
of these security objects. 

Next we antroduce the idea of a security property. gBach 
of the security objects is described by a-security profile 
that is an ordered set of four elements of security proper- 
ties; Authority (A), Category (C), Necessity (K), and Mode 
Cia ice scCUrityaproperty. AWenonriuy “15 Getined as tne 
clearance of an object such the UNCLASSIFIED (a°), CONFIDEN- 
TIAL (a'), SECRET (a*), and TOP SECRET (a*) are elements 


which belong to the set A hierarchically ordered where 
is (a0 Se ie a” }- (1) 


The security property "Category" Pouce t On eo peccl iG Col. 
partments which are mutually exclusively sanctuaries with 
Specimcuilrisdlctsons SUGieas:  RESPRIGTED (ec), CRYPTO 
fe EYE SmONT Yece-). NUCLEAR (ec), POLITICAL (e'), INTELLI- 


GENCE (c°), where the Category C is the set 


eee ee a Co ee , (2) 


miner ScOULriuy, property “Necessaty’ (or need to know) is tire 


Sc teOtsuisensetar cach S€Cirmeynob ect Such that 
eet) 1s a user). (3) 
Littwsecurivty property “Mode andicates the type of data access 


required. The Mode indicates; READ ONLY DATA (m°), ADD TO 


48 





DATA (m'), CHANGE EXISTING Db wba lb erROMADATA(m-) 
EXECUTE A PROGRAM (m*) or CHANGE A PROGRAM (m°). If we let 
MCenOtema sSeCUriEyY Object, LEhen the set ole may contain 
none, any combination of or all the elements belonging to M 
where: | 

My Sec (iiy ei | eee my, . (4) 
With respect to the "Necessity" property (K), it is possible 
to distinguish four sets of users if we allow the user u to 
DemcubscraptCadsovmthe SPecCItie Securicy Object. If we let 
Uf denote that user number 0 has access to file f and so on 
EO eele OLlen  tinee. Security Objects, except that us is sim- 


ply defined as u°®, then with respect to "Necessity" it is 


~ 


possible to define 


i = {u} (5) 
K, = fue, ul... .uP} (6) 
K, = ful, ap... uf] (7) 
eae fur, Wee aoe: (8) 


Above, equation (5) is saying that the need-to-know for 
a user is restricted to himself. Equation (6) states that 
the Necessity of terminal t belongs to ¢ different users who 
have access to t. Equations (7) and (8) are similarly defined. 
The matrix of Figure 5 presents the rules for determining 
Him OUGESecULIty Properttiesstor a given object. An example 
peice rubeserOollows. 'FoOr ee USER ul the Ay? Cc. and Ma are 


assigned as constants. Ky is given by Equation (5). For a 
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SECURT WieeROre Rina) 


ECURITY 
OBJECT AUTHORITY CATEGORY NEGESSIPY 
O A (C 


SER ASSIGNED ASSIGNED ASSIGNED 
(u) CONSTANT CONSTANT CONSTANT 


TERMINAL ASSIGNED ASSIGNED ASSIGNED 
(t) CONSTANT CONSTANT CONSTANT 
i [ma rer [apa 














FILE ASSIGNED ASSIGNED ASSIGNED 
(f) CONSTANT CONSTANT Ur CONSTANT 
Figure 5. Security Property Determination Matrix. 


terminal t, A C, and M, are assigned constants while K. 1s 


| ag Mais 
Pavemeby equation (GO). Forwd job, Since we are given A, and 
A,» ae is determined as: 
A, = min(A,,A,). (9) 


Sinaia tneneeSIMmce we are eiven Cc. and Ci» C, TSedeter. 


mined as 
— Ca C (10) 


Bad Bs repmem by equation (7). For a tile, Ag» Ce and Me 
are assigned constants and Ke is given by equation (8). 

The object now 1S for the SVS to control a user's access 
EQuanoy So tomumanes terminals, alideiritle6s.. Access will be granted 
tomene system vw and only 21 u belongs to the universal set 
Od SUSeGs: 


ue Ue (11) 
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The process for user identification and authentication is 
described in the section of this thesis entitled, "THE PRO- 
CEDURAL MODEL," page 44. 

Access is granted to a terminal if and only if the user 


belongs to the Necessity set for the terminal: 


uek, . (12) 


Now if our SVS concludes that equations (11) and (12) 


Brew tne On a Daterecular user, then 1€ can be stated that 
u = Uu, = U.. (13) 
FinalivedeeessedsS serantedutornda frie tf and only it: 


1. The authority of the job is greater than the authority 


of the file. 
(14) 


and 
2. the Category of the job is a superset of the Cate- 


gory of the file: 


OG Cy (15) 
and 
Ce CMlOG@CeOr ethic TObmlS ma =Supe rset. Of stne Mode Of the 
Pike 
My 2 My (16) 
and 
4. The user having jurisdiction over the job belongs to 


the set of equation (8) 


ad 





u. € Ky : (17) 


If expressions (14) and (iS) and (16) and (17) hold true, then 


access is granted. 


Sy 





VI. CONCLUSIONS 


Computer data security is a complex and many faceted 
problem which has only recently received general recognition. 
Technology has not now, nor will it ever be able to produce 
an absolutely secure computer data system. Technology can 
and must produce a system which makes it economically in- 
feasible to compromise computer stored information. The 
complexity of a data security system depends on the level of 
data being protected and environment in which it is being 
used. Hardware and software implemented data security sys- 
tems must be augmented by physical, administrative, and legal 
sccurity techniques in order to ensure the inteprity of the 
Sy sicel. 

The ultimate goal of a computer data security system is 
to adequately protect the data while keeping the system 
economically feasible and maintaining reasonable ease of 
authorized access. Data security involves people; people 
design, implement, and operate the security system to protect 
data from being compromised by people. Armed with the know- 
ledge of the problem, the theoretical models, and the present 
technology, computer data security designers must formulate 
the techniques, methodology, and procedures to eliminate 
Mibegtiim cCOnMpute ry data Cxploltation. 

iiesrolhowineg “quote was taken from the WWMCCS Senior 
Ofticer's Handbook (Ref. 25]; it summarizes tlre motivation 


for this effort. 
S3 





"Currently there is no available combin- 
ation of software and hardware features that 
can insure acceptable security when process- 
ing more than one classification/category of 
data in an environment other than totally 
dedicated. This severely restricts the 
capability to share computers that were de- 
Signed for timesharing in the first place. 
To process more than one classification or 
category of data with existing hardware and 
software requires that all users be cleared 
for all data in the system, since there is 
no assurance one can access only a specified 

“portion of‘a ddta base. ‘The ‘adverse implica- 
taons on this Lamitation regarding the dis- 
tributed data base concept-are apparent." 


Since laree scale ADP Syseems require years in the pro- 
Suremecnescycle, tOGgay S SeCclrsty problems are essentially 
Mr eneSUbmOmevestendday. 5 Neglect. it Ehere ais sto be Secure 


automatic data processing systems tomorrow, it will depend 


on what is done today. 
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APPENDIX A 


This Appendix contains a list of reference material 
which pertains specifically to cryptology. 


les Browse Fo (editor), Computer and Software Security, 
Newer onkenk Intermartvonal, iInc., 1971, p. 61-6ae 


De. Carroll, J. M. and P. M.«McLelsband, Fast Infinite-Key 
Privacy Transformation for Resource Sharing Systems 


Mier nclhomlo/ (balla Joumpeconpucen Conference, 
Cele) 57s pe 225-250- 


oo Ge proto = colliér Ss Emeyclopedia, Vol. 7, New York, 
Crewell-Colliver Educational Corporation, 1972, 


Disko = 550). 


4. Ciryprolooy EncyvelopediasAmericana, Vol. 8; New York, 
hile hiheailameGmnO teu Lome milo) Zoe. 2/0-2o0 - 


oe Cryptology, Encyclopedia Britannica® Vol. 6, Chicago, 
Enevmlepedia Britannica, Iine.4 1972.) p. 844-851. 


6. PeAtsictnm ite, NeoeAe NOEZ. and J.) Lb . Stiath, Cryptograpnic 
Techniques for Machine to Machine Data, Woukconn 
Heights, N. Y., IBM Corp. Research Division, Report 
Nope caooso. December 2/7, 1971. 


Ve Gaines iver, Cryptanalysis, New York, Dover Publica- 
tions, 1956. 


8. Girsdansky, M. B. (author), Data Privacy, IBM Research 
Repomicnm Ol. 7, °NO.°4, 1071.. 


9. Kahn, D., The Code Breakers, New York, The Macmillan 
Comwoo7 pr. 1253255. 


in Cesar eny . b.V¥., COMpuLer Cryptoeraphic Techniques 
for Processing and Storage of Confidential Information, 
Micmac oOnal JOUnNaWeOrecConerol, vOlL. IZ, no. 5, 
eRe o oO 7 Ole 


J1. Meyer, C. H. and W. L. Tuchman, Pseudorandom Codes Can 
Dene rrectclowelectrontlembesien, November 9, 1972, 
Dae 7 oO. 


Pa Ore. edi). lan omit th, Al Experimental Application 
of Cryptography to Remotely Accessed Data Systems, 


er bs a 


ae 





WS. 
14. 
jini 


EO. 


7. 


Pad 


SeaehideenesO. 5 4. COnsideration of the Application of 
Cryptographic Techniques to Data Processing, Proc. 


Sumetceoseeall Joimt, Computer Conference, AFIPS, 


VGN Soeerpalli-117. 


ivueeweke. Necdato Keep Data Secure, Electronic Design, 
November 9, 1972, p. 68-71. 


Van Tassel, D., Advanced Cryptographic Techniques for 
Computers, Communications of the ACM, Vol. 12, No. 12, 
December 1969, p. 664-665, 


Van Tassel, D., Computer Security Management, Engle- 
yee Cin ss , Ned. , Beentree—tall, Inc., p. “2190. 


Van Tassel, D., Cryptographic Techniques for Computers, 


muOc Orebic loo spring Jomt Computer Conference, 


APPS sole S4 0pm s075572. 


56 





Or 


Ilo 


ee 


LIST OF REFERENCES 


Brown, Peter S., "Computer Security - A Survey," Data 
base, VOluwrd se NOwe >, D. 1; Fall 19/72. 


Kahn, David, "The Code Breakers,'' Macmillan, p. 163-213, 
1967. 


Prywes, Noah S., "Some Prcblems and Consideration of 
Compurcer Security , eNayaigehapekesearch and Develop- 


ment Center (NSRDC), Proceedings of the Conference 
on Secure Data Sharing, p. 144-152, August 1973. 


"The Considerations of Data Security in a Computer 
Environment,'' International Business Machine Cor- 
POLArlOn a bro Vataseroacessin gia visien, 1968. 


Weissman, Clark, "Computer Security: Problem Dimension 
and Solution Space,'' NSRDC Proceedings on the 
Conkerence (On oCCUGe Datavoharing, p. Go, Report 49350, 
August 1973. 


Katzan, H., Jr., “Computer Data Secumity.'’ Van Nostrand 


Reinhold Company, p. 44, 1975. 


Feremscimei. B. and lurn, RR. “system-Implications of 
iitonmiae hone riVvacw. Threceedimesmnrulo, oO?» st CC, 
Votee sue ps, 29h- S00 


Carrom. and Mebéelland. Ps M., “Bast  Infinite-Key 
Privacy Transmission for Resource Sharing Systems," 
BRO@ccdigcmor ene Lo 70 hati Joime Coanputer Conterence, 
NEMS Ole O/ 5. PD. 225-2502 


Parke tebe. NyYGUM, S.,. and Ourada, Oo. o., ‘Computer 
Abuser a tho Nat ional, Science Foundation Rahn, Hsr/ 
RA/S-73-017, November 1973. 


PopketemD ha. NyYCuUM. S255 dhe New Criminal." Data- 
Hcteanolmmey Glue 20.0 NOgmly. Dam oO J amuary oi 97 . 





HVGhewiiniGud.,— Iie rivaeyweGrisisS, Catholic Intor- 
Matt OnmocrVvlGes.. NO. formas - 


‘i iaimitime ames. OSoCCUrlLtiyenccuradcy, and Privacy in 
Complies -oystems., Prentice Halls Inc., Englewood 
WinmMers . (NCW Jersey, pe 4aie440, 197354 


Vo sOleanee \,  Dyndinnes lretection Structures," 


Procctaimius sor wires PIO Fall Joint Computer Confcrence, 
use Vole doce tian 2 /soo.) LOGUF 





a7 





14. 


UD. 


Hon 


Ney 


18. 


JESSIE 


ZO 


ZA. 


an 


1s oe 


moo, 


Zor 


ZO" 


ExobeomeeGweow ana Denning, P.J., “Protection Prin- 


Stpbecwanim bactnee, sl nocecdings of the 1972 Spring 


JO1e, COMNpUter Comuerence, AFIPS, Vol. 40, p. 417- 
429, 1972. 


Schroeder, M. D., "Protection Systems in MULTICS," 


NSRDC Proceedings of the Conference on Secure Data 
Sharing, Report 4130, p. 26-33, August 1973. 


Weissman, Clark, ''Trade-off Considerations in Security 
Systems Design,'' Data Management, p. 14-19, April 
1972. 


Combate. hee los Glincens G. Io, and Saltzer, J. Hz, 
Pies wine test Seven years, Proceedings 
APUPS, ©9972, sJCC, Vol. 40,°AFIPS Press, Montvale, 
ING Were Moc Ve Pao) i On 


Schroeder, M. D., and Saltzer, J. H., "A Hardware 
ADeneccecelre s.aulnplemencing —@rotection Rings. 
Communications of the ACM, Vol. 15, No. 3 (March, 


LOPD) 35, 1ST 


HSiago, Vavid Ke, “Logical Access Control Mechanisms 


in Computer Systems,'' NSRDC Proceedings on Conference 


Steoceure Data Sharing, Report 41/805 p. 34-50, 
August 1973. 


Crahalimeeeetia, Frotection in an Information Processing 
Uitaiettss Comm. ACM. di 5S (May 19608), p2s05—569 ; 


Vaneeaescl )2 ‘Computer Secumi ty Management, — 
Pine wogcmG ld tS New OCT Sey mE henimece niall. Amc. 
pee ol Apri 1972. 


Wasserman, J. J., "Plugging the Leaks in Computer 
Decl mnes Suarvard bUSINeCSSMmReVlewrmp. 119-129 > 
pepee-WUeGL.. 1969, 


Omit awonos a. GCOMDUtCrS wand PrivacyaweA SUrVCy, 


COMPLE eMe OUT Vey Si.) Olea sNOw 25 Bao 597, (J UTC 
1969. 


WevsstmammeerCllark, Security Controls an the Adept-50 


Dine ate neeoy Seen, wena wOllt Comburer Conitcrence , 
NGies oo pe tL 19155 964. 


“Major Unresolved Problems," WWMCCS Senior Officers 
HamdeeOm ee VOtleetl Dowo-5l, Sh January 1973. 





Goode George bl. .. telLeconmunicetions, Vol. 8, No. 3, 
March 9974, “New Nevelopments in Data and Voice 
Sect seve, Dan oo 907 





58 





INITIAL DISTRIBUTION LIST 


Defense Documentation Center 
Cameron Station 
Alexandria, Virginia 22314 


lob rary , Cage O cenc 
Naval Postgraduate School 
Monterey, California 93940 


Ciaran. Gcompucter Science Group 
Gode 72 

Naval Postgraduate School 
Monterey, California 93940 


Pruosesson Gol barksdalcesJt se code /ZBa 
Compuie neoecience Group 

Naval Postgraduate School 

Monterey, California 93940 


CDR R. M. Hanna, Code 964 
PGC EeMarerial Support Office 
Mechanicsburg, Pennsylvania 17055 


ECoR =. Larson, USN 


555 Poinsettia Street 
Chula Vista, California 92010 


a 


No, Copies 








Thesis 16°S82 


12734 Larson 
Get Computer data security. 





thesL2/734 
omputer data security. 


DUDLEY KNOX LIBRARY 





